Desktop and Application Streaming

Next-level SaaS security with Amazon WorkSpaces Web

“The only constant is change.” Wise words that continue to hold true. For years, enterprise IT has wrestled with the trend towards more flexible and agile work environments, a trend that has accelerated recently. Today, business professionals expect instant productive, no matter the time or physical location. Critically, they also seek best of breed applications, which are increasingly web-delivered. Analysts predict that over 80% of enterprise apps will be SaaS by the end of the decade. The result? For many professionals, the web browser replaces the desktop for where work gets done.

What’s not changing? The Internet remains an attractive target for bad actors. Security analysts project the volume of online threats doubles year over year, with 80% of these cyber attacks targeting the local web browser. In other words, securing end-user computing doesn’t end at the physical walls of the corporate office or virtual edge of the corporate network. Businesses need to secure workloads from anywhere, at any time, running on both managed and unmanaged devices, all on a global network that is constantly under threat.

The productivity and agility benefits provided by web-based applications fuel their growing demand. Unfortunately, the Internet is the primary target of malicious players. So, how do you get your cake and eat it too? I recommend adopting Amazon WorkSpaces Web, the best way to securely deliver Software-as-a-Service (SaaS) and other web-based applications. WorkSpaces Web is a cost-effective, fully managed, Linux-based service, designed to secure browser-based workloads, whether accessing internal websites, using public or private SaaS applications, or just browsing the internet. With WorkSpaces Web, the end user’s browser runs in the cloud. Web applications are accessed and rendered from a hardened, non-persistent Security-Enhanced (SE) Linux instance. WorkSpaces Web is largely transparent to end users, who continue to interact with web content like they always have. Their web data, however, is ephemeral, neither reaching the end point nor persisting on the “cloud browser,” which is terminated at the end of the browsing session. Instead of running client software that is long-lived and vulnerable, exposing the corporate network and company data to risk, the browser becomes a moving target–disappearing, reappearing, and disappearing again. WorkSpaces Web is virtually isolated from the end user’s device, dramatically reducing the threat of online attacks.

So, what does this look like in practice? Here’s a visual:

Most folks who look at this image think, “that’s a browser.” Exactly! We know that it can be a struggle to balance improved security with end-user productivity, as security measures often introduce friction that frustrates end users. We created a robust security solution with granular IT controls that present minimal to no disruption to end-user experiences.

To be sure, there is a dizzying array of tooling and services designed to improve online security. And while the trend towards “zero trust” is one I fully support, most zero trust checks are like the old X-Files character Fox Mulder; they want to believe. After running checks for known vulnerabilities (e.g.; device patch state, browser version), the end-user’s device is trusted and critical corporate data begins to flow to the endpoint. But why not say “zero trust” and mean it? With WorkSpaces Web, there is no need to trust the device because no html, document object model (DOM), or sensitive company data is transmitted to the local machine. By isolating the device, corporate network, and internet from each other, the browser attack surface is virtually eliminated.

WorkSpaces Web customers range from the Fortune 500 to 50-person startups, with verticals like healthcare, technology, financial services, entertainment, business process outsourcers (BPOs), and public sector agencies. Use cases vary from providing access on unmanaged devices for DevOps, to enabling outside firms with access to collaborative web applications, to everyday access to CRMs for sales teams. In short, anyone who uses the internet as a key part of their work routine can benefit from WorkSpaces Web. Not surprisingly, we have seen broad adoption with “digital natives” or “born in the cloud” companies. These organizations recognize the benefits of the cloud, particularly speed and agility, and require the security to operate confidently on the web.

One of my favorite examples is MelodyArc, a company that provides everything a business needs to deliver great customer support in a single service. Their all-in-one solution handles the complexities of running customer support operations, including responsibly using AI, staffing and managing human agents, and leveraging both for what they do best. Because the company handles customer data, securing their online applications is mission critical. I recently caught up with James McHenry, co-founder and CEO of Melody Arc, who shared the following:

“One of the most challenging and costly parts of security certifications, like SOC2, is end-user device management. The most challenging part of building the service was securing our agents’ devices. MelodyArc does not hire agents directly, we source them from great customer support outsourcing companies. This lets us tap into an enormous and well-established pool of customer support talent. However, this strategy also makes it prohibitive to manage agent devices. This is where WorkSpaces Web came in. WorkSpaces Web enables us to deploy a managed experience to our agents, regardless of how they are setup. Our primary needs were, 1) high availability (HA), 2) multi-region support, and 3) the ability to handle dynamic users counts. Since our agent population changes frequently, a solution licensed to individual users for an extended period of time would not work. In our discovery phase, we piloted a self-hosted solution. Meeting several of the needs, such as HA and multi-region, required significant effort in DevOps time and escalating infrastructure costs. In hindsight, we initially undervalued the benefit of a managed solution like WorkSpaces Web.“

I love James’ point on the value of a managed solution. So much time and energy can be invested in activity that does not move your fundamental business forward. I encourage companies to look for solutions like WorkSpaces Web that offload the ongoing administrative burden (e.g.; pushing security updates, managing infrastructure, scaling), so that businesses can focus on their core business.

In closing, I want to emphasize that this is still Day One (as we often say at AWS). Our roadmap is full of innovations and improvements that we look forward to delivering to customers. And, we are always listening. If your company could benefit from WorkSpaces Web, but you need something that doesn’t appear on our website, reach out to us at workspaces-web-feedback@amazon.com. We talk with hundreds of customers every year. These discussions are an integral part of our roadmap planning process.

Finally, if you haven’t already done so, check out my recent talk at End User Computing Innovation Day 2023 and visit the WorkSpaces Web webpage to learn more or to get started with your first deployment. Safe browsing!

I began working at Amazon in 2008, spending 12 of those 15 years in AWS. I have had the good fortune to participate in a number of new product initiatives, including Amazon RDS, DynamoDB, the Kindle Fire tablet, Amazon’s “Just Walk Out” technology, and most recently, Amazon WorkSpaces Web. The majority of my career has been focused on the web, web services, and browsers. I am currently the General Manager for Web Browser Experiences within End User Computing here at AWS.